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We address criticism of the Letter "Exposed-Key Weakness of 0:77" in the Comment by Nair and 
Yuen. The Comment claims that the Letter does not show insecurity of ctr\ because our approxima- 
tion for the eavesdropper's entropy on the encrypted key is invalid. We present simulations which 
show that, on the contrary, our estimate is in close agreement with numerical calculations of the 
actual entropy over the applicable domain. We additionally discuss some ways in which our views 
on security requirements differ from the views given in the Comment. 



The Comment by Nair and Yuen [T] claims to refute 
statements made in our Letter "Exposed-Key Weakness 
of arf [2] ■ The main dispute concerns the validity of an 
approximation used in the derivation of our estimate for 
the eavesdropper's entropy on the encryption key. In this 
Reply, we present simulations supporting the validity of 
our estimate and provide a more detailed explanation of 
the reasoning underlying our approximation. We then 
give various applications of our estimate in quantifying 
security, as well as discuss some ways in which we differ 
from the authors of the Comment with regard to security 
requirements. 

First, let us reiterate the claims made in the origi- 
nal Letter which are nominally disputed. We assume an 
arj system using M coherent states, initialized with L- 
bit seed key K, with measurement error described by a 
gaussian distribution with standard deviation a. In our 
Letter, we state that even if an eavesdropper Eve starts 
with zero information on both the key and the message 
under transmission (i.e. a ciphertext only attack), 

We therefore take U. . . as an upper bound on 
Eve's information on K per measured symbol. 
We expect Eve's information to grow linearly 
with the number of symbols. . . This approx- 
imation will of course break down when the 
Eve's entropy on K is low, such that her en- 
tropy on the key will only asymptotically ap- 
proach zero as the number of symbols goes to 
infinity. . . Eve's entropy on the key will tran- 
sition from linear decline to asymptotic de- 
cay after measuring approximately no = L/U 
symbols. . . 

where we derived U to be 

tf«]og(-^=)-l. (1) 
a v lire 

This can be summarized as 

H E (K) >L-QU, (2) 
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H E {K) kL-QU for Q < n = L/U, (3) 
where Q is the number of encoded bits sent, and 

lim H E {K) = 0, (4) 

Q— >oo 

where H E (K) is Eve's entropy on the key. 

The authors of the Comment argue that ^ can be 
replaced with 

H E (K) = L-QU for Q < n dep (5) 
H E {K)>L-QU for Q > n dep , (6) 

where n^p is the number of statistically independent 
strings {k q } generated by the pseudo-random number 
generator (PRNG), and is dependent on which PRNG 
is used; an upper bound for nd ep is given in the Com- 
ment of nd ep < \K\/ log 2 M/2. We do not disagree with 

However, the Comment additionally claims that for 
ndep < Q *C no, the left and right hand sides of ^ 
may be sufficiently far apart such that the approximation 
([3]) is not valid. To investigate this claim, we performed 
Monte Carlo simulations of the arj system. For each sim- 
ulation, a seed key and message were chosen from a uni- 
form distribution. The running key was generated from 
the seed key using an L-bit linear feedback shift register 
(LFSR) as the PRNG. Eve's measurements were simu- 
lated by adding a gaussian distributed random variable 
to the phase angle of each symbol sent. We calculated the 
probability that Eve assigns to each seed key by starting 
with a uniform probability and using the measurement 
result after each transmitted symbol to update the prob- 
abilities. 

Over this ensemble, with randomly chosen seed, mes- 
sage, and measurement noise, we computed the average 
entropy that Eve has on the seed key, and the aver- 
age probability that she assigns to the correct seed key, 
P E (K) (see Figure [l]). The parameters used in the calcu- 
lation are L = 13, M = 256, a = 16, and the averaging 
was performed over 10 4 simulations. For comparison, our 
estimate ^ is also plotted. 

As can be seen from Fig. [l] our estimate is quite accu- 
rate over the specified domain. Note that with these sim- 
ulation parameters, ndep < 2; that is, the second running 
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FIG. 1: Circles (0) on the left axis denote the expectation of 
Eve's entropy on the key, He(K), as a function of the number 
of encoded bits sent, Q. Squares (□) on the right axis indicate 
Pe(K) the average probability that Eve assigns to the correct 
value of the key. The line is the estimate |3| calculated in the 
Letter. The PRNG is a 13-bit LFSR, the number of possible 
symbols for each transmission is M = 256, and the gaussian 
measurement noise has standard deviation a — 16. Averaging 
was performed over 10 4 Monte-Carlo simulations. 



key is not statistically independent of the first. How- 
ever, it can be seen that the amount of information that 
Eve gains from each symbol is nearly the same for the 
first several symbols. Indeed, even when the entropy is 
less than the size of the running key, our estimate is still 
valid. The actual entropy does not significantly deviate 
from our estimate until the entropy is quite low. 

This can be understood by re-visiting the derivation 
in the Letter. The derivation does not depend on an 
analogy to Shannon's random cipher, as the Comment 
supposes, and additionally is completely independent of 
the contents of the plaintext. It instead results from a 
consideration of the probabilities that Eve assigns to the 
keys after each measurement. 

Eve begins with no information on the key. Therefore, 
she assigns the same probability to all possible values. 
Upon making a measurement, however, she can update 
these probabilities according to Bayes' rule, which states 
that the probability of each key should be multiplied by 
the probability that that key would generate the observed 
measurement (divided by a normalization factor). Thus 
seed keys which generate running keys close (on the half- 
circle) to the observed symbol will have their probabil- 
ities increased, while seed keys which generate distant 
running keys will have their probabilities lowered. The 
information that Eve gains is related to the change in the 



probabilities she assigns to the symbols before and after 
the measurement. 

The estimate (|3| is based on the approximation that 
just prior to each measurement, Eve's probabilities are, 
on average, nearly uniform across the possible symbol 
values, and assumes a well-behaved PRNG. We may con- 
sider the PRNG as an ordered list of Q maps from the 
space of seed keys {0, . . . 2 L — 1} to the space of run- 
ning keys {0, ... M - 1}. We assume that the PRNG will 
be a typical member of the set of all lists of maps, and 
therefore that the distribution of running keys (on ensem- 
bles with varying seed key and iteration number) will be 
nearly uniform. In other words, though the PRNG is en- 
tirely deterministic, its ensemble distributions will mimic 
those of a true random number generator with uniform 
probabilities. In practice, even an LFSR, which is gener- 
ally considered a poor PRNG, appears to be sufficiently 
well-distributed for our purposes. 

Let us consider a simple case in order to better un- 
derstand why this estimate works. Take the case where 
the measurement noise is uniformly distributed over one 
quarter of the phase circle. The determination of the 
half-circle encodes the data. The knowledge of the quar- 
ter circle may be used to reject, after each measurement, 
the possibility of one half of the possible running keys. 
Approximately one half of the seed keys will generate 
one of the running keys that can be ruled out. Therefore 
those seed keys can be eliminated. Since the running 
keys for different seeds are not correlated, we are not 
throwing out the exact same set of seed keys over and 
over; after each measurement, we are throwing out one 
half of the seed keys, selected in a uniform fashion. At 
any step, about as many remaining seed keys generate 
running keys within the correct quadrant as outside of 
it; thus we can eliminate approximately half of the re- 
maining keys after each measurement. This is true even 
when Q > n^ ep ; that is, statistical independence is not 
required. 

This estimate does not break down until the estimated 
number of remaining seed keys is of order one. It breaks 
down because there remains the possibility that there will 
be another seed key which will generate running keys 
which, like the running keys generated by the correct 
seed key, are all in the same quadrant as the measure- 
ments. The probability that this is true for any given 
false seed key, however, falls exponentially with the num- 
ber of transmission events. This "probability" involves 
both the truly random measurement noise and the fre- 
quency of occurrence of events in an ensemble generated 
by the deterministic PRNG. 

In summation, the estimate ^ is based on an approxi- 
mation which continues to hold until Eve's entropy is low 
(of order one bit) or, equivalently, the probability she as- 
signs to the correct key is high (of order one). It does not 
rely on the statistical independence of the running keys. 

In the region about rig, the behavior of the entropy 
function becomes more complicated. At the present time, 
we do not have a precise analytic form for the entropy 
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in this region, and so we are limited to numerical simu- 
lations such as those shown above. The authors of the 
Comment claim that no statements about the insecurity 
of the system may be made until a precise expression, 
applicable over the entire domain Q £ [0,oo), is found 
for the probability that Eve assigns to the correct seed 
key. While we agree that such an expression would be 
desirable, we believe that useful statements about the 
security of arj can be made even without this expression. 

For example, consider a user who deploys an arj sys- 
tem with the parameters in the simulation above. She 
may specify a security requirement to meet the needs of 
her application. For example, she may require that the 
eavesdropper's entropy on the key must be more than 
5 bits under a ciphertext-only attack. For this system 
under this requirement, it is clear from Fig. [1] that the 
system is insecure (i.e. does not meet the requirement) 
for message lengths above 8 bits. This is a well-quantified 
statement. It is also clear that she could accurately make 
this statement based on the estimate pj. 

Requiring a limit on Eve's entropy as we do above is a 
common measure of information-theoretic security. For 
example, in quantum key distribution experiments, a typ- 
ical requirement is for Eve's expected information on the 
key to be less than 10 -6 bits for a secret key of hundreds 
of bits [5] ■ The authors of the Comment seem to make the 
implicit assumption that all security requirements will be 
stated in the form of a maximum probability that Eve will 
assign to the correct key. However, even when limited to 
this sort of security requirement, statements about the 
security can still be made. 

We note that P E (K) > 2- He{k \ Therefore, knowl- 
edge of He(K) can be used to show that a maximum 
bound on Pe(K) is violated, though it is not sufficient to 
determine that the bound is obeyed. For example, con- 
sider an ar] system with the parameters above, with a 
security requirement of Pe(K) < 2~ 5 . As seen in Fig.[T| 
the user could accurately determine from the estimate of 
He(K) that the system would not meet the requirement 
for message lengths of 9 or more bits. In fact, the system 
would also be insecure for message lengths of 7 or 8 bits, 
so she could not use the estimate to find the region of 
security, but she could determine some message lengths 
as insecure. 

If the security requirement of the user involves an en- 
tropy of order one bit or less, or a probability of order 
one, then the transition will be outside the domain of 
our estimate ([3]). In principle, therefore, we would re- 
quire additional analysis to meet the needs of all users. 
In practice, however, user requirements tend to be much 
more stringent. For example, the experiments in [3] typ- 
ically sacrifice about half the bits for additional privacy 
amplification so that Eve's knowledge of a fraction of or- 
der one bits of the secret key is reduced to the previously 
mentioned 10~ 6 bits of information on hundreds of bits 
of secret key. Thus, for ar], we might expect typical user 
requirements to be from a few tens to a few hundreds of 
bits of entropy on the key. In this region, the estimate 



([3| will be quite accurate, and should be adequate to find 
the maximum secure message length. 

Another instance where our views on security require- 
ments differ from those of the Comment's authors can be 
seen by considering the implications of the limit Q . This 
equation guarantees that for any security requirement 
with a non-zero key entropy (or a maximum key proba- 
bility less than one), there exists a message length such 
that the system will be insecure under a ciphertext-only 
attack. This was stated more informally in the Letter as 
". . .Eve may have enough information to determine the 
key with high probability when Q 3> no." The Comment 
claims that these statements are "unfalsifiable" and "do 
not satisfy the requirement of being a scientific claim." 
However, even in the absence of an analysis such as that 
given by Figure [l] we believe that our statements are 
not trivial. In the Letter, we provide a counter-example: 
the simple additive streaming cipher. For this cipher, 
He(K) — L for all values of Q under the ciphertext-only 
attack. Thus there exists no Q such that Eve may deter- 
mine the key with high probability (where "high" may be 
chosen by the user to have any value above 2~ L ). By dis- 
proving our statement for another cipher, we prove that 
the statement itself is falsifiable. 

In contrast, the authors of the Comment compare the 
additive stream cipher to arj by claiming that "Intu- 
itively, the measurement noise in arj would make it more 
secure than an additive stream cipher instead of worse 
as claimed in [the Letter] at least for the case of known- 
plaintext attacks where H(X. n ) = 0." This intuition rests 
on a particular selection of security requirement contrary 
to the ones we have discussed above: that is, He(K) = 0. 
While, technically speaking, the user may choose any se- 
curity requirement, we again note that in practice users 
generally have more stringent requirements. For exam- 
ple, we do not know of any application in which the eaves- 
dropper may know the key with confidence 0.99 and yet 
the system is considered secure. 

This approach to security is perhaps related to the 
choice in the Comment to focus on the quantity Nk, the 
number of false seed keys to which Eve assigns a non- 
zero probability. As the Comment points out, the tail 
of the gaussian noise distribution does not reach zero 
at any point on the circle. Eve's seed key probabilities 
are the product of the conditional probabilities of the 
measurements. The conditional probabilities are all non- 
zero. Any product of a finite number of non-zero num- 
bers is also non-zero. Hence for any finite Q, Eve will 
assign a non-zero probability to each seed key. Therefore 
N k = 2 L - 1 for all finite Q (though liniQ^oo N k = 0). 

Though we agree with this analysis, we do not be- 
lieve it is relevant to users in practice. If it were, the 
user could make the gaussian noise a arbitrarily small 
(say, a = 10 -10 ). The eavesdropper would correctly de- 
termine each running key and message bit transmitted, 
with a probability close to one, but could never drive the 
entropy exactly to zero, or completely rule out the highly 
improbable messages and keys. But in this case the user 
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could achieve the same result by simply transmitting the 
plaintext over a channel with an arbitrarily small (but 
non-zero) bit error rate. Since in practice no channel has 
a bit error rate which is precisely zero, we believe that 
if this were the only security requirement the user had, 
then any real channel would suffice without the need for 
an encryption system such as ar\. 

We close by responding to another criticism of our 
Letter. The authors of the Comment also hold that 
"there is no commonly agreed meaning of the symbols 
'w' and '<C'" and therefore our estimate ^ "is not well- 
defined. . . it cannot be falsified, the possibility of the lat- 
ter being the hallmark of a meaningful scientific state- 
ment" (emphasis in original). While we believe that ex- 
act equalities are preferable to approximations, we do 
not agree that all use of approximation is unscientific. 
For example, we feel no qualms about statements such 
as 

tan(ir) « x for i<1, (7) 



which was also used in the Letter, without argument from 
the authors of the Comment, or 



{2 H(K) _ 1)2 -nD ^ 2 H(K)-nD for 2 ff ( A ')»l, (8) 



which was used in the Comment itself (though, to be fair, 
they used "=" instead of and did not specify the 

assumption used in the approximation). 

In conclusion, we do not find that the Comment re- 
futes the claims of our Letter. We have performed addi- 
tional simulations which show that our estimates of the 
eavesdropper's entropy are quite accurate in the specified 
domain. We also find that some of the additional claims 
made in the Comment, while technically true, are not 
relevant in practice to users of the arj system. 
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